Management
Highlighted
Management

Junos Sapce Security Director Sync Fehler

‎04-08-2020 02:40 AM

Hello,

Synchronizing with the SRX results in the following errors:

 

Error while reading config from device: Device
Operational RPC Command Results
Unable to establish connection with the device (Device Id: device_id). because all channels&n

 

does anyone know what it could be?

12 REPLIES 12
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 03:09 AM

Hello,

 

As per the error it looks like Space SD is unable to establish connectivity with the Device/SRX.

It is not able to fetch the RPC from the device seems like NETCONF Channel is broken.

 

Have you recently modified the USER credentials on DEVICE with which you are managing it from Space /SD?

 

Please test the following-

  • Is the device showing connection status as UP or DOWN in Device Management page ?
  • What is the Configuration Status : InSync or Out Of Sync or Sync Failed?

 

Better to log a JTAC case to assist you in this regard.

 

Regards
-Animesh
If this worked for you please flag my post as an "Accepted Solution" so others can be benefited.
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 03:12 AM
Hello,

As per the error it looks like Space SD is unable to establish connectivity with the Device/SRX.
It is not able to fetch the RPC from the device seems like NETCONF Channel is broken.

Have you recently modified the USER credentials on DEVICE with which you are managing it from Space /SD?

Please test the following-

* Is the device showing connection status as UP or DOWN in Device Management page ?
* What is the Configuration Status : InSync or Out Of Sync or Sync Failed?

Better to log a JTAC case to assist you in this regard.
Regards
-Animesh
If this worked for you please flag my post as an "Accepted Solution" so others can be benefited.
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 03:17 AM

Device is displayed as up

Configuration Status: Out Of Sync

 

Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 03:30 AM
If the Device is UP then SSH connectivity between Space and Device is working fine.


Error : Unable to establish connection with the device (Device Id: device_id). because all channels&n
If Resync is not working with error – Because All Channels (Netconf) are busy then it looks like the device is not letting Space to establish a Netconf channel to do the RPC polling to bring the Device in Sync.

This happens when all the default 32-channels given in the SRX are busy and the existing sessions are not closed.

I suggest logging a SRX Ticket as well as a Space ticket for this issue.
In SRX as well, this was a Software version Bug. Better to involve TAC to investigate the Logs and apply the workaround.

From Space End, there is a related PR for this issue (Confidential PR) – which states to disable SD Device Monitoring and then restart Jboss service. But better not to do it without a JTAC assistance.
Regards
-Animesh
If this worked for you please flag my post as an "Accepted Solution" so others can be benefited.
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 03:51 AM

I get the SRX via the cli of Space per ssh without problems

Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 04:01 AM
Hi,

Space doesn’t do simple ssh to connect to Device.
It does ssh over netconf channel.

Test with : and run the below RPC Command from Space CLI-

ssh @ -s netconf





eg.:

[root@space-005056a9fa63 ~]# ssh labroot@10.2.3.4 -s netconf

Password:









urn:ietfSmiley Tonguearams:netconf:base:1.0

urn:ietfSmiley Tonguearams:netconf:capability:candidate:1.0

urn:ietfSmiley Tonguearams:netconf:capability:confirmed-commit:1.0

urn:ietfSmiley Tonguearams:netconf:capability:validate:1.0

urn:ietfSmiley Tonguearams:netconf:capability:url:1.0?scheme=http,ftp,file

urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0

urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:candidate:1.0

urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:confirmed-commit:1.0

urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:validate:1.0

urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file

http://xml.juniper.net/netconf/junos/1.0

http://xml.juniper.net/dmi/system/1.0



259



]]>]]>



## This command will fetch the RPC output for Interface info from Device.

If this works then please engage Space JTAC to manually bring the device down from Database and allow the Netconf channel to reestablish between Space and the Device.
Regards
-Animesh
If this worked for you please flag my post as an "Accepted Solution" so others can be benefited.
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 04:03 AM

Hi,

 

Space doesn’t do simple ssh to connect to Device.

It does ssh over netconf channel.

 

Test with : and run the below RPC Command from Space CLI-

 

ssh <Device-Username>@<Device-IP> -s netconf

 

<rpc><get-interface-information/></rpc><rpc><close-session/></rpc>

 

eg.:

[root@space-005056a9fa63 ~]# ssh labroot@10.2.3.4 -s netconf

Password:

<!-- No zombies were killed during the creation of this user interface -->

<!-- user root, class super-user -->

<hello xmlns="urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0">

  <capabilities>

    <capability>urn:ietfSmiley Tonguearams:netconf:base:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:netconf:capability:candidate:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:netconf:capability:confirmed-commit:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:netconf:capability:validate:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:netconf:capability:url:1.0?scheme=http,ftp,file</capability>

    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:candidate:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:confirmed-commit:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:validate:1.0</capability>

    <capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>

    <capability>http://xml.juniper.net/netconf/junos/1.0</capability>

    <capability>http://xml.juniper.net/dmi/system/1.0</capability>

  </capabilities>

  <session-id>259</session-id>

</hello>

]]>]]>

<rpc><get-interface-information/></rpc><rpc><close-session/></rpc> 

 

## This command will fetch the RPC output for Interface info from Device.

 

If this works then please engage Space JTAC to manually bring the device down from Database and allow the Netconf channel to reestablish between Space and the Device.

 

Regards
-Animesh
If this worked for you please flag my post as an "Accepted Solution" so others can be benefited.
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 04:31 AM

Hi,

 

It seems you are getting "all channels are busy" error while sync, this is because all the channels are occupied already and no new channel is there to get the configuration.

 

on the SRX CLI, please check:

 

show configuration system services ssh 

 

It should have : 

set system services ssh max-sessions-per-connection 32

 

-PL

-PL
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. Kudos are always appreciated!
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 04:33 AM

And this is mostly SRX code issue where SRX is not able to close the connection/channels.

I think it is fixed in 15.1X49-D200.

Please raise a case with SRX JTAC and confirm.

 

-PL

-PL
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. Kudos are always appreciated!
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 11:47 PM

Hello,
I restarted the management server and it's working again.

Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 11:54 PM
Glad to know that the issue is resolved now but it may come again if you were getting “all channels are busy”.
I think after rebooting the management box (Junos Space), some of the channel used by JSpace were closed and that’s why now it is not showing that issue.

Thank you.

Regards,
PL
-PL
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. Kudos are always appreciated!
Highlighted
Management

Re: Junos Sapce Security Director Sync Fehler

‎04-08-2020 11:57 PM
Its good to know that but will recommend getting this checked by the SRX TAC. The issue may re-occur as well.
Regards
-Animesh
If this worked for you please flag my post as an "Accepted Solution" so others can be benefited.